Rfid Credit Card Hacking

Posted on

A hacker can then process exactly one transaction of their own using your card, as the CVV code that is taken is one time use only. It’s not the most lucrative of electronic pickpocketing, but it does happen. If you install one at a busy ATM, then you may get 100 or more one-time transactions in a single day. RFID is especially subject to hacking because the transmission protocol is not encrypted, and, at least, in the first generation of RFID-enabled credit cards, it would transmit the financial.

  1. Rfid Protection For Credit Cards
  2. Rfid Credit Card Visa
  3. Credit Card Hacking Sites

A new breed of digital pickpocket has been discovered lurking in stations and shopping centres.

They come armed with technology that can effortlessly steal credit and debit card details without so much as touching your wallet.

Standing just six inches (15cm) away, these criminals use radio-frequency identification (RFID) readers to harvest bank details in a practice known as ‘digital skimming’.

Scroll down for video

If a readers or RFID-app enabled smartphone is within range, it can pick up the wireless signals transmitted when that card is being used to buy a product (left). David Bryan (right), a security specialist at Chicago's Trustwave, stood by crowded shopping areas with a device stashed in his backpack to show how it works

ABC7 I-Team recently revealed just how easily thieves steal personal details from cards that use ‘wave and pay’ radio technology.

David Bryan, a security specialist at Chicago's Trustwave, stood by crowded shopping areas with a device stashed in his backpack that could read card numbers.

Share this article

‘The technology is high-frequency RFID,’ Mr Bryan told DailyMail.com.

‘It uses 13.56 Mhz to communicate with the card and the reader.

‘In this instance, I used low power Embedded Linux Computer, and an easily purchasable RFID reader.

The technology in the card, known as radio frequency identification (RFID), transmits bank details via its own radio signal. A RFID reader can pick up these details in a matter of seconds

HOW DIGITAL PICKPOCKETS WORK

The technology in the card, known as radio frequency identification (RFID), transmits bank details via its own radio signal.

Standing just six inches (15cm) away, these criminals use RFID readers or apps to harvest bank details in a practice known as ‘skimming’.

If a readers or RFID-app enabled smartphone is within range, it can pick up the wireless signals transmitted when that card is being used to buy a product.

The information can then be input into a machine that can be purchased for $300-$400 to replicate the card.

Cards can be protected from RFID skimmers by being wrapped in tin foil or being kept in special foil-lined wallets.

‘This was then powered by a USB Battery, and stuck into a backpack.’

As well as a device, digital pickpockets can download an RFID app onto their phone.

If a reader or RFID-app enabled smartphone is within range, it can pick up the wireless signals transmitted when that card is being used to buy a product.

The information can then be input into a machine that can be purchased for $300-$400 to replicate the card.

Security firm Norton says that this year 70 per cent of credit cards will be vulnerable to digital pick pocketing.

‘The device can read many different RFID tags- including MiFare Cards, EMV Cards, and many type of RFID tags,’ said Mr Bryan. ‘It works with many Near Field Communication tags and devices’

Because RFID is always switched on, some payment experts say it's more vulnerable to attack than NFC.

'This demonstration shows that contactless payment card reading technology is not a silver bullet for security,' said Mr Bryan.

RFID readers can be bought cheaply online. They can also be downloaded onto a smartphone from an app

'RFID payment cards need to be backed by a mobile device that generates one-time payment card numbers for that specific transaction- rather than having a static payment card that never expires.

'In a crowded train, if someone has an RFID payment card, I could easily pull that data if I get close enough - or have a large enough antenna'

As well as using it in his backpack, Mr Bryan successfully stole numbers by attaching the equipment to a laptop.

‘The three digit code on the back of the card could help,’ Marc Rotenberg, President of the Electronic Privacy Information Center (Epic) told DailyMail.com.

This code can’t be read by the device, but fake cards could be created without the three digit code and presented at shops.

‘We have some questions about the implementation [of the three digit code] because it wouldn’t make sense to implement it if you don’t require presentation of the product,’ said Mr Rotenberg.

Places to watch out for digital pickpockets include crowded shopping centres and busy stations where transactions are constantly being made

Special wallets that use foil can block these radio frequency signals, but the threat remains very real.

Apple Pay is attempting to overcome the problem by not storing any numbers on an iPhone.

A Chase Bank spokesperson also told the ABC7 I-Team that they are discontinuing the use of that radio technology on their cards.

‘It’s not necessary wrong to pursue these techniques, but more needs to be done to safeguard people,’ said Mr Rotenberg.

A PURSE THAT FIGHTS CRIME: CLUTCH PROTECTS YOU FROM DIGITAL THEFT

Articulate's clutch (right) blocks RFID (Radio Frequency Identification) signals - the relatively new technology that allows us to simply wave our credit cards over a scanner to pay for goods (left)

A tech-savvy accessories label has launched a clutch purse with built-in capabilities to protect against identity theft.

Articulate's clutch costs $35 to pre-order and blocks RFID (Radio Frequency Identification) signals - the relatively new technology that allows us to simply wave our credit cards over a scanner to pay for goods.

According to the team behind the purse - entrepreneur Kevin and his sister Lindsay, based in San Diago, California - the clutch contains a 'special material' embedded into the design to help block these pesky RFID signals.

'Criminals with very minimal technical skills have created devices similar to the scanner which vendors such as grocery stores use,' the website description reads.

It comes in a range of colors and can also be worn over the shoulder thanks to the chain strap.

According to the United States Federal Trade Commission, identity theft had been holding steady for the last few years, having seen an increase of 21 per cent in 2008.

How much do you know about RFID chips? Do you know how many you’re carrying at any given moment? Do you know what information is stored on them? Do you know how close a hacker needs to get to you in order to steal that information? Have you considered any form of RFID protection? And most importantly, do you know what RFID protection will be effective?

These days, RFID chips are present in all sorts of items, such as credit cards, library books, grocery goods, security tags, implanted pet details, implanted medical records, passports and more. Some schools now require their students wear RFID tags. The amount of information which could be learned about you from your RFID chips is quite a lot! Plus, you never know what those information thieves are planning on doing with your information, either. So, it’s best to understand the risks of RFID hacking and limit your exposure to harm. Here’s the basics of what you need to know.

What Is RFID?

RFID stands for Radio Frequency IDentification and it’s used for short-distance communication of information. It does not require line of sight to work, meaning that the RFID chip and the reader merely need to be within range of each other to communicate.

There are a few main types of RFID chip:

  • Passive Tags require a radio signal to be emitted from the receiver in order to be read. This also means they operate on a small distance and can’t transmit a lot of data. Examples of these can be found in credit cards and door passes.
  • Active Tags have on-board batteries and can therefore actively transmit their data over a larger distance. Also, they can transmit a larger amount of data than passive tags. Examples of active tags include toll passes mounted in cars.

RFID frequencies vary according to the device and country, but usually operate in this range:

  • Low Frequency RFID is <135 KHz
  • High Frequency RFID is 13.56 MHz
  • Ultra High Frequency (UFH) RFID is 868-870 MHz or 902-928 MHz
  • Super High Frequency (SHF) RFID is 2.400-2.483 GHz

How Easy Is It To Scan RFID Chips?

RFID hackers have repeatedly shown how easy it is to get hold of information contained in RFID chips. As some chips are re-writable, it’s even quite easy for hackers to delete or replace RFID information with their own data.

It has been said that on eBay hackers can get hold of all the equipment they would need to build an RFID scanner for less than $20. This means that anyone anywhere could be trying to read your RFID chips – and that’s worrying.

There are also numerous articles online showing exactly how one might go about making your own RFID reader, such as this article using basic parts and some Arduino skills.

Here’s an interesting article about RFID hacking which will give you a lot to think about, where Wired talks to RFID hackers about various exploits, including breaking into an internet security company, changing the prices on grocery items before purchasing, cloning RFID tags and using grocery items to open hotel rooms, deleting information from library books, getting free petrol, breaking into cars, tracking where people drive and reading medical data.

How To Block RFID Signals

In general, metal and water are the best ways to block radio signals to and from your RFID chip. Once that radio signal is blocked, the data cannot be read.

Now, we need to dispel a myth. Some people think that wrapping your credit cards in aluminium foil will be enough to protect them from RFID scanners. This is not true! A foil wrapping will help, but it won’t stop the scanner. It just means the scanner has to be a lot closer to you to get the information.

If you haven’t yet bought some decent RFID protection, foil will help you somewhat, but it’s not a real solution to the problem. A neat idea is to line the money pouch of your wallet with foil, so that all of your cards contained within are somewhat protected from RFID scanning.

Rfid Protection For Credit Cards

It should also be mentioned that many sellers of RFID protection are basically just selling foil sleeves. Be wary of these as they won’t protect you fully.

In some countries, governments have begun to give accreditation to RFID protection that complies to certain standards. Be on the lookout for this accreditation when you purchase RFID protective wallets, passport pouches and sleeves.

The most effective RFID-protecting sleeves, pouches and wallets on the market are those that use a Faraday Cage within a leather exterior. Faraday cages in paper sleeves are also very effective, but will be less durable. Search for protection that contains the words “Electromagnetically Opaque” and you should be on the right track.

It’s also possible to break your RFID tags. To disable an RFID chip, common practices involve a large electromagnetic pulse (such as microwaving the chip) or hitting it with a hammer. Note that most disabling methods could ruin the rest of the item too, which is not ideal.

Another important thing you can do to protect yourself is to ensure your security plan does not rely on RFID only. For instance, contact your credit card issuer and see if they will disable RFID-only purchases on your card. Then if someone were to clone the RFID tag in your card you would still be safe from theft. Another example would be to not rely on RFID door passes alone for your office and to ensure there is another robust security system in place.

If you are paranoid about your RFID presence, you could make your own RFID reader and regularly check your household to see what is readable and check how well your RFID protection is working. For the extremely paranoid, you could also check the data on each item to see if anything has been changed.

Have you got any other great tips to protect yourself against RFID exploits? Or do you have a horror story to share?

Rfid Credit Card Visa

Image Credit: Shutterstock, Shutterstock, Shutterstock

Credit Card Hacking Sites

  1. Many people are thinking of implanting these chips into their bodies. How would they defend from hacking in this situation?

    • what is there to hack ?
      I have a nfc implants and the distance required to read the chip hasn't be less than 1cm. I've tried with various readers and never able to read with 1+CM.

      also even if 'they' hack my chip, what use could they have ? to track me with this tag is a silly thought as well, how would one know it is ME who has the chip, cause there are no visual clues on my hand to reveal that I have a implants.

      if people are so scared of surveillance and privacy they they really need to rethink the causes. ones mobiles are constantly being tracked, visa and MasterCards with nfc contain more damageble data (from theft POV) and so on.
      not to.mention all the cookies our browsers store and can be tracked down to what we have searched on the web and which wites we have been visiting.

      so honestly, there are more risks in our general everyday-behaviours than these implants :)

  2. I have personally found that a neodymium magnet (found in hard drives) completely disable RFID when physically pressed together.

  3. I am a Leather Smith and would like to find the right product that I can incorporate into my wallets to protect people from this sort of theft If anyone know anything about using the right material to help protect people from this mess please send me a reply thank you.

    • Mary:
      I was looking for a product for my own personal wallets/bags, after researching just what works and doesn't. The article above concurs with what I've found from multiple sources.
      After knowing what to look for, I found this:
      Kryptronic Technologies, Munich, Germany
      Produces a sheet product called CryptAlloy. http://www.cryptalloy.de/en/cryptalloy/
      They seem to answer all questions, and provide a quasi-Faraday cage and electromagnetic reflection/attenuation product. Reading all the pages on the site will give you a great knowledge of the topic.
      The bad news is they show no dealers in the Americas, I wrote, but no response.
      Perhaps someone should ask who can speak German?
      Let me know if you track down any source where we can buy in small supply, please.
      You can write me at KnowHound and the domain is AOL com.

  4. So, what is stopping criminal from using devices similar to skimming on ATMs to steal info?

  5. Thanks for the informative article.

  6. These pretty cool things are not yet among us in Africa..but they sound awesome!

    • Why do they sound 'awesome' - the article was a cautionary tale. Are you amongst the nasty buggers in Nigeria always trying to find new ways to rip off the law-abiding world?

      • I was talking about the RFID protective wallets. Did you read the whole article or where you just going through the comments to find out about the subject?! And for your info I'm not from Nigeria but stop thinking that low about this country. These 'nasty buggers' are everywhere in the world. Thanks.

  7. Accessory shops sell small metal wallets quite cheaply. The small ones are about the size of a stack of six cards, and could fit in a large wallet. I was surprised when I started getting compliments on mine, as I thought of it as just functional.

    • By the way, think twice before destroying your rfid chips, or preventing them from being used for transactions.
      You may wish to disable your debit card's rfid, but keep a rfid credit card, so you can do small transactions while you travel. In Europe and Japan, you may be assumed to have one of these.

  8. they want to put this into peoples arms???

    • yes, in your right hand or forehead.

      Those without can't buy or sell anything nor do banking or hold a job.

      As soon as the next global disaster hits, nearly everyone will have to have one for food rationing..

  9. Great article Angela! Very informative yet very troubling. Thank you & thank MakeUseOf.com for publishing you! By the way, I live in Alcorn County, Mississippi. The county in which the city I really live is located, was named to honor the first Republican Gov of the state - his last name was Alcorn! Enough on the history already!

  10. Very interesting stuff.Point taken,thanks for sharing this.

  11. A metal credit card holder in a wallet would help.

  12. The thinking about hacking RFID is just scary XD

  13. that is good to know we will keep our eyes open.thanks a lot

  14. Advanced Technology! With it's pros and cons.
    Nice Article. Thanks

  15. very useful info thanks./

  16. Grate and useful, thanks 'makeusof'.

  17. A very interesting article, thank you. I am glad that I prefer to use older style authentication methods for my banking now :) but as said above, no system is perfect. Vigilance and awareness of possible risk helps promote safety. Beep! now what rfid set that off?!!

  18. This is really useful information to have. Would the Sony Smart Tags have rfid chips in them?

    • yes they have

  19. Getting an Arduino costs more than $65 and it's not that easy to deal with, so probably, not REALLY everyone could be reading your cards .

    Psd wedding frames for photoshop free download. The files are printable and customizable.

    • you can buy the chip for $2, get a programmer for $10, wolah, cheap arduino.

  20. their is no system 100% safe, all the system has a weak point, the different is how to hide it

  21. Thanks for sharing us this info .

  22. Distance is moot, the fact that it's possible is an issue in itself

  23. wow..so useful nowadays, thanks.